As most housing professionals are (or should be) aware, the General Data Protection Regulation (GDPR) will come into force from May 2018, and housing providers should be paying particular attention to what it is and what it could mean for them.
Housing providers hold a great deal of personal tenant data. From name, date of birth and address, through to household composition, gender and number of dependants; any single provider could be carrying tens of thousands, if not more, of sensitive data points, especially if it’s involved in providing assisted housing for the elderly, vulnerable people or those with a disability. It may also share tenant data with building contractors and other external agencies. In both cases, housing officials are always responsible for the protection and privacy of tenant data.
It has been said that housing associations could begin to rival major housebuilders in construction output. However, as new ‘super-associations’ (such as last year’s merger of London & Quadrant and East Thames) emerge, what should they take into consideration? To begin with, their cyber security and data protection strategies should be at the very heart of all their decision-making.
When two companies join, for better or for worse, so too must their data. There are several factors to consider to ensure that it’s a seamless integration. It can often be an unwieldy process, but it all comes down to very careful strategizing and planning. Before merging, housing providers must map each other’s IT infrastructure and perform due diligence. GDPR will undoubtedly make M&A more of a challenge, and increase risks if careful examination of data is not carried out. GDPR must be clearly adhered to by both parties to ensure data mergers are executed quickly and cleanly.
GDPR will introduce a requirement for organisations to ensure that data protection is at the forefront of all managerial decisions. Compliance with its requests must be evidenced through policies, procedures, technical measures and training. Housing providers will be required to significantly update practices to reflect the changes between the current Data Protection Act (1998) and GDPR next year.
With larger housing providers comes much more tenant data, and some are already looking into ways of streamlining processes by turning to digital. As a recent KPMG report highlighted, data analytics and software tools could help them manage areas such as fraud, error and debt. But where any new systems are deployed, whether manual or automated, GDPR states that organisations must design them with data protection in mind from the outset and ensure they adopt a ‘privacy by design’ approach.
An important first step in compliance is to appoint a data protection officer (DPO) who will act as the first point of contact for staff with any queries on how to comply. GDPR centres on responsible and accountable dealings with data. It’s therefore vital that housing providers identify individuals who can lead the charge in GDPR compliance in addition to being able to shoulder the blame if something goes wrong.
Another important step is to perform a data audit outlining where data comes from, why it’s being collected, where it’s held and where it goes. Tenants must be kept front of mind, and transparency and openness when communicating with them should be promoted. Housing officers must be prepared to explain exactly what they are using their data for, how it might be shared, the legal basis for processing it, and how long it will be kept for.
One of GDPR’s main goals is to make sure organisations clearly outline requirements for consent in the provision of information. Housing officers will need to ensure their contracts for obtaining and using tenant data are up-to-date, clear and accessible to all, without unnecessary jargon.
Tenants should be made aware of their rights, which include the ability to complain about the way in which their data is being used or handled, and the right to be ‘forgotten’, allowing an individual to request the erasure of personal data when they see no reason for its continued storage.
Individuals are also able to withdraw consent for their data to be used at any time, and have a right to data portability, allowing tenants to obtain and reuse their personal data for their own purposes across different services.
A tenant must be able to access their own information on request, meaning housing officers should know exactly where and how their data is held at any one time. Housing providers must ensure they negotiate with IT suppliers to build additional functionalities into their systems allowing for the above tenant rights to be executed.
The security of tenant data is critical, and housing providers must also review their data security ahead of GDPR coming into force. Is there adequate firewall and virus protection? Is there a clear password policy? Is there a procedure for data breach management and do staff understand it?
Every data breach likely to have an impact on individuals must be reported to the Information Commissioner’s Office (ICO) within 72 hours of a housing provider becoming aware of it. Under GDPR, organisations can provide information in phases as investigations progress, but this requirement will precipitate a change to internal reporting processes and requirements that should be imposed on suppliers.
If a breach is serious enough to warrant notification to the public, the housing provider responsible must do so without delay. Failing to notify a breach when required to do so can result in a significant fine of up to 10 million Euros, or two per cent of a housing provider’s turnover.
Looking ahead at the housing market, we can expect to see further consolidation between housing providers, but one thing they must ensure is that when it comes to data protection, all parties are on the same page. In every case, those at executive management and board level are accountable for compliance, requiring them to produce and maintain documents that demonstrate the actions undertaken to adhere to GDPR.
The changes put in place will require new and updated measures, and will potentially result in budgetary, personnel, governance and communications procedures having to be altered.
There are substantial differences between GDPR compared with the original Data Protection Act. With the scrutiny and penalties dramatically intensifying for non-adherence, the time to start acting and planning for the changes coming into force in eight months’ time is now.
Helena Brown is a data protection partner at Addleshaw Goddard.
